Adaptation of access rules for a data interchange between a first network and a second network

ABSTRACT

Adapting access rules for a data interchange between a first network and a second network by the second network is provided based on a service-specific integrity information item of the first network, wherein the first network processes data for carrying out a service and the service defines multiple components. A respective integrity status is transmitted for each of the components by each respective component via a communication link within the first network to a management unit of the first network. The service-specific integrity information item is computed based on each respective integrity status by the management unit. The service-specific integrity information item is transmitted by a network access point of the first network to a receiver in the second network for adapting the access rules. Access by the receiver to each respective integrity status is prevented.

CROSS-REFERENCE TO RELATED APPLICATION

This application is the National Stage of International Application No.PCT/EP2014/066814, filed on Aug. 5, 2014, which claims priority toDE102013219375.0, filed Sep. 26, 2013, both of which are herebyincorporated by reference in its entirety.

FIELD

The present embodiments relate to a method for adapting access rules fora data interchange between a first network and a second network via thesecond network on the basis of a service-specific integrity informationitem of the first network, and to a system for providing aservice-specific integrity information item on the first network.

BACKGROUND

The provision of services often requires the cooperation of differentservice providers. A term used in this context is “service orientedarchitecture.” By way of example, the widespread use of cloud servicesrequires an end customer to cooperate with a cloud service provider.Between the two partners, contractual relationships exist that describethe service. In addition, the cloud service provider can in turnoutsource some of the provided service to other service providers.Contractual safeguards between the service providers are also necessaryin this case. An example from the realm of automation is a smartmetering method using a smart meter device (e.g., an electricity meter)associated with a meter data operator. The meter data operator isconnected to an energy supplier in order to make the consumption dataavailable for billing.

For such service provision, the integrity of devices that are involvedplays a crucial part, since intentional or unintentional alterations ormanipulation can adversely affect the quality of the service or disruptthe service provision.

The prior art discloses network access checks, checking informationabout a present configuration of a system before network access isenabled. In this case, terminals are checked for guideline conformitywith guidelines for a network during authentication.

The conventional art further provides a device attestation that assuresthird parties of system properties of a component via a trusted platformmodule, TPM for short. In this case, a hardware security integratedcircuit produces a cryptographically protected configuration informationitem about the executed software of a component.

The conventional approaches involve the integrity of a single devicebeing protected or an integrity information item of a single devicebeing confirmed. In a case of a service oriented architecture, integrityinformation of a single device is not semantically significant, however.A service, such as the provision of a particular service interface, canbe provided on multiple different devices. A service can even call otherservices, that may, in turn, be provided on different hardware devices.

SUMMARY AND DESCRIPTION

A service provider wants to protect internal matters concerning itscomputer center from disclosure to customers or business partners. Aninformation item concerning individual devices or components of aservice provider therefore needs to be avoided.

The present embodiments are therefore based on the object of providing amethod and a system that can provide a protected integrity statementabout a service of a first network.

A method is provided for adapting access rules for a data interchangebetween a first network and a second network by the second network onthe basis of a service-specific integrity information item of the firstnetwork. The first network processes data, for carrying out a service,and the service defines one or more components. The method includestransmission of a respective integrity status for the number ofcomponents by the respective component via a communication link withinthe first network to a management unit of the first network. The methodalso includes computation of the service-specific integrity informationitem on the basis of the respective integrity status(es) by themanagement unit, and transmission of the service-specific integrityinformation item by a network access point of the first network to areceiver in the second network for adapting the access rules. Access bythe receiver to the respective integrity status(es) is prevented.

By way of example, the first network and/or the second network is/areunderstood to mean a respective domain that may be administratedseparately and independently of the other domain in each case. By way ofexample, a domain includes a computer center and components such asservers or hardware components. It is also possible to refer to anetwork domain or a respective administrative separate network zone.

The first network carries out a service. The service may be particularlyan editing step for data that is outsourced by the second network. Thesecond network wishes to have the service handled by an external networkor an external domain, for example on account of a lack of resources.The first network is then a service provider, for example, in thecontext of a cross domain service.

The communication link within the first network may be providedwirelessly or in wireless form.

In the present application, a management unit is understood to meanparticularly a unit that has central access to a respective integritystatus of a respective component of the first network. Such a managementunit is also called an inventory management system. The centralinventory management is used to record the integrity state of individualsystems within the first network or the first domain. The managementunit additionally has information about the association of thecomponents with services.

To ascertain a respective integrity status, the management unit canadditionally stipulate criteria for a check for each component. Themanagement unit may request information from a component or a deviceregarding the software version number, regarding installed viruspatterns, or regarding similar security-relevant parameters. Facilitiesthat are present on a component, e.g., a terminal, in order to providesystem properties in a protected manner, e.g., a trusted platformmodule, can be used in the management unit in order to outsource thecheck on the integrity of an individual device to another device. Themanagement unit requests particularly the respective integrity status onthe components that the management unit identifies as belonging to theservice.

Access to the integrity status of a component of the first network isnot possible from the receiver in a second network. In this case, thereis particularly no possibility of provision of a communication link fromoutside the first network directly to a component. In addition, internalinformation, such as about the integrity of individual devices, cannotbe forwarded directly to external communication partners outside thefirst network.

Hence, a service provider does not have to disclose internal informationfrom its own system. In addition, it is advantageous for the secondnetwork that wishes to use the service of the first network to beprovided with a service-specific integrity information item in the firstnetwork. In particular, the complete information regarding devices orservers within the first network that are needed for carrying out theservice is not available on the second network. In this case, a servicecan be provided on multiple different devices and/or call other servicesthat are provided on different hardware devices or access differentservers.

If the receiver in the second network receives the service-specificintegrity information item and if adoption of data from the firstnetwork is not permitted on account of an integrity information itemthat classifies the first network as not trustworthy, then filter rulesin the second network are adapted or tightened. By way of example, thecommunication of two different IP address ranges can be controlled ineach case via a gateway that additionally has a function of a firewall.The relevant measures as a reaction of the integrity information itemare then implemented by a configuration setting of the firewall. To thisend, there is an association between received integrity informationitems and filter codes of the firewall.

According to one advantageous embodiment, the service-specific integrityinformation item provides a service identifier, a domain identifier, anintegrity checking code, and/or a time stamp.

An explicit association is ensured between the service-specificintegrity information item and the service or the domain that carriesout the service. An integrity checking code can additionally specify inwhat way or on the basis of what policy or code the service-specificintegrity information item has been ascertained. It is possible tospecify the criteria that underlie the check on the component forascertaining the respective integrity status. A time stamp canadditionally ensure that the service-specific integrity information itemis up to date.

According to one advantageous embodiment, the service-specific integrityinformation item provides a list or a link to a list of the number ofthe components.

When the link to a device list is specified, the list can be madeavailable centrally. The list may be set up in a similar manner to acertificate blacklist or a white list or positive list. Besides thecomponent names, the list may also include the respective integritystatus or a valuation-less direct or unprocessed result of a check onthe respective component. The service-specific integrity informationitem can be transmitted via the network access point (e.g., for thepurposes of TLS) as an encryption protocol. The list of the componentscan be provided via a further access point (e.g., via a web server whoseassociated link is included in the service-specific integrityinformation item).

According to one embodiment, the integrity information item isrepresented by a value including a set of at least two values.

By way of example, two classes may be provided, or two categories, thefirst category representing an intact or integral or nonsuspect state ofthe first network or of the components of the first network that arerequired for the service. A second category then represents anuntrustworthy state. A binary representation with 0 or 1 can then beused to provide the relevant category as a service-specific integrityinformation item.

In addition, more fine-grained categories may be provided that providethe receiver with more detailed information about the state ofindividual components. Hence, it is advantageously possible for thesecond network to adapt access rules. Hence, different measures can beinitiated on the basis of the service-specific integrity informationitem. It is thus possible to deny use of the service completely if anegative integrity information item is transmitted to the secondnetwork. When a detailed analysis is provided, the second network mayhave a service performed in part by the first network. In this case,only noncritical data may be transmitted to the first network. Inaddition, the first network may make available to the second networkonly data that are used for non-security-critical applications withinthe second network.

According to one embodiment, the second network is administrated by asecond management unit that is different than the first network.

It is therefore possible for the two networks to be comparable systems.In particular, the system integrity of both networks as domains of twoservice providers can be ensured via the disclosed method beingperformed from the point of view of both domains. This can include notonly the integrity of the devices of the domain but also othercharacteristic system or service properties, such as a presentutilization level of servers or an available network bandwidth, forexample.

According to one embodiment, the number of components is produced in theform of computation units including a processor for carrying out theservice within the first network.

The first network can provide a multiplicity of services. Multiplecomputation units or subsystems within the first network canadvantageously be used for quickly carrying out the service.

According to one embodiment, the data transmission between the number ofcomponents and a subscriber outside the first network is carried out viaa network access point, wherein the network access point limits the datatransmission.

Hence, the components for a subscriber outside the first network are notdirectly addressable. The communication between the first network andthe second network is therefore routed via the network access point ordomain access point or service access point. The data transmission isthus ensured for the purposes of carrying out the service if theintegrity of the service is confirmed. At the same time, the individualintegrity statuses of the components are protected against access fromoutside the network.

According to one advantageous development, the service-specificintegrity information item is transmitted as part of an authenticationcertificate.

In the course of the authentication of the first network to the secondnetwork, the service-specific integrity information item may also betransmitted. By way of example, the authentication certificate having anidentifier for the domain and a public key assumed by a certificationentity is transmitted together with the integrity information item. Toensure the confidentiality, authenticity, and integrity of the datatransmitted with the authentication certificate, the authenticationcertificate includes a digital signature whose genuineness can bechecked by the receiver using the public key of the certificate user.

According to one embodiment, the service-specific integrity informationitem is tied to an authentication certificate via an attributecertificate.

The attribute certificate then includes the service-specific integrityinformation item, inter alia, and refers to the associatedauthentication certificate. In this case too, a trustworthy entity usesan electronic signature to confirm the tie between the integrityinformation item and the authentication certificate and hence a senderin the first network.

In this case, the authentication certificate is checked by the receiverusing the public key of the certificate user. The decoupling of theintegrity information item from the authentication certificatesimplifies the provision of the integrity information item, since theauthentication certificate does not need to be regenerated wheneverintegrity information is provided. This allows dynamic association ofassurances about the requested integrity state or what are known asintegrity attestations with the authentication certificates.

The trustworthy integrity or certification center for the attributecertificate may be different than that for the authenticationcertificate.

According to one embodiment, the first network produces an attestationfor the service-specific integrity information item on the basis ofcryptographic key material.

In this case, particularly the management unit of the first network canprovide an attestation about the achieved security status of the firstnetwork or of the first domain or of the combination of components thatare needed for the service. The cryptographic key material used may,particularly in the case of asymmetric encryption methods, be a privatekey of the inventory management system or a symmetric key thatrepresents a shared secret between the first network and the secondnetwork.

According to one embodiment, the attestation is formed by acryptographic checksum of the management unit.

The management unit (e.g., the inventory management of the firstnetwork) acts as a trustworthy, certificate-issuing component. Thecryptographic checksum protects the attestation against manipulation.The cryptographic checksum may be a digital signature, such as an RSAsignature, a DSA signature or an EC-DSA signature, for example, or anauthentication code, such as a message authentication code, e.g.AES-CBC-MAC, HMAC-SHA256.

According to one embodiment, the attestation is evaluated by thereceiver.

The second network can particularly perform a signature check using thepublic key of the management unit of the first network. This ensures theintegrity of the integrity information item and the authenticity of thesender in the first network. In addition, evaluations can be performedregarding the up-to-dateness of the integrity information item or theattestation about the integrity information item.

According to one embodiment, the attestation is produced on the basis ofa feature of the second network.

The integrity confirmation can then be generated dynamically at therequest of the second network in the first network. In particular, atime of a request may also be included in the attestation, so that it ispossible to ensure that the attestation is up to date or fresh. As aresult, the second network also delivers a feature in the request thatinvolves the first network in the generation.

The disclosed embodiments additionally relate to a system for providinga service-specific integrity information item of a first network,wherein the first network can process the data for carrying out aservice and the service can define components for transmitting arespective integrity status of the number of components via acommunication link in the first network to a management unit in thefirst network. The system includes a management unit for computing theservice-specific integrity information item on the basis of therespective integrity status(es) and a network access point of the firstnetwork for providing the service-specific integrity information itemfor a receiver for adapting an authorization. Access by the receiver tothe respective integrity status(es) can be prevented.

According to one embodiment, the system additionally includes anattestation unit for producing an attestation on the basis of theservice-specific integrity information item via cryptographic keymaterial.

According to one embodiment, the system additionally has a connection toan attestation unit or certification entity for performing the methodacts described above.

The scope of the present invention is defined solely by the appendedclaims and is not affected to any degree by the statements within thissummary. The present embodiments may obviate one or more of thedrawbacks or limitations in the related art.

DESCRIPTION OF THE FIGURES

The disclosed embodiments are explained in more detail using exemplaryembodiments with reference to the figures.

FIG. 1 depicts a schematic illustration of a system for performing amethod according to an exemplary embodiment.

FIG. 2 depicts a schematic illustration of a system including a firstnetwork and a second network for respectively performing a methodaccording to another exemplary embodiment.

DETAILED DESCRIPTION

According to one disclosed embodiment, a process act B is intended to beperformed in a second network D2 within an automation installation whenthere are constraints that turn out differently depending on process actB. In this case, the constraints can be formed by surroundings-specificand variable data. Information about the constraints is obtained via aservice provider. The service provider is a first network D1 thatcontains multiple components K1, K2, K3 for carrying out the service.

Process act B is additionally intended to be carried out only when, inaddition to the information, there is also an attestation DIA orassertion that confirms an integrity state DI for the components or forthe combination of components that are involved in the service (e.g.,when the information that is provided about the integrity of the servicecomponents is extended by an attestation DIA about the service-specificintegrity information item DI). The constraints that are relevant forprocess act B may be historical or present data or forecast values.

If, by way of example, a material-processing act is intended to beperformed only when a constant ambient temperature is guaranteed or whenthere is variation within a stipulated temperature range, then theremust be an assured temperature forecast within the installation. To thisend, the second network D2 uses a service of the first network D1 toprovide temperature values and temperature diagnoses. This service isprovided with the first network D1 by involving the components K1, K2,K3. In this case, a first component K1 is a first sensor installedwithin the installation. A second component K2 is an external sensor,and a third component K3 is a server that can request weather forecastvalues from an external weather station and makes said values availableto the first network D1.

A management unit IM within the first network D1 is embodied as aninventory management system. The management unit IM collects informationabout individual integrity statuses I1, I2, I3 of the components K1, K2,K3. In addition, the management unit IM derives a service-specificintegrity information item DI therefrom for each service that the firstnetwork D1 makes available. As a result, the management unit IMascertains a security status for the first network D1. Advantageously,the checks on the components K1, K2, K3 are initiated at regularintervals via of the management unit IM regularly requesting theintegrity status I1, I2, I3 of the components K1, K2, K3. Thus, anup-to-date security status is always available for the various services,which particularly access different servers and may therefore have adifferent status than one another.

When the second network D2 requests the service for providing thetemperature forecast, a network access point DAP, also called domainaccess point, of the first network D1 makes a request for aservice-specific integrity information item D1 to the management unit.The network access point DAP requests a statement about the state withregard to the integrity of those components that are used for carryingout the service. The management unit IM can take a requested statementas a basis for ascertaining the up-to-date respective integrity statusI1, I2, I3 of the respective component K1, K2, K3.

The management unit IM issues the network access point DAP with anattestation DIA about the service-specific integrity state DI or what isknown as a domain integrity assertion.

The check on servers that the service accesses or devices fromsubnetworks that have access to the first network D1 may occur only insome cases, or vice versa, can be initiated regularly by using a networkaccess control method, for example. Thus, the management unit IM hasup-to-date statements available about the integrity state of the serversat all times. Besides an indication of the integrity status I3 of aserver that is needed for the service, it is also additionally possibleto involve the integrity of a management system of the server in orderto ensure a higher quality of service.

The management unit IM ascertains the service-specific integrityinformation item DI in the function of a domain integrity compliancemanagement. The domain integrity assertion is a service-specificintegrity information item DI digitally signed by the inventorymanagement and is made available to a domain access server DAS. Thelatter can use the domain integrity assertion directly or forward thedomain integrity assertion at the request of third parties. If theassertion is used directly, the assertion can be transmitted as part ofthe authentication certificate AZ of the domain access server DAS in theauthentication process between the first network D1 and the secondnetwork D2. The authentication certificate AZ is issued by acertification entity CA.

The assertion can also be transmitted as part of a security protocol,such as Internet protocol security (IPSec), or transport layer security(TLS), for example.

In the second network D2, the assertion is validated by a receiver VERusing a signature check, an up-to-dateness check, or an association withthe domain, identified via the IP address space or a domain name systemname range.

In addition, the domain access point can make available a list ofcomponents K1, K2, K3 belonging to the service and the respectiveintegrity statuses I1, I2, I3 of said components. Besides the ratingresult of the inventory management system that may be a pure yes/nostatement with regard to the integrity, a more detailed list isadditionally transmitted. Transparency for a user of the service isincreased and can particularly provide information if an integrityattestation that is not completely positive is provided.

The attestation DIA provided can be taken as a basis for enabling aservice via terms of logic AND functions for authorizations. When anattestation DIA with maximum positivity is provided, complete integrityof all components involved is then assumed and access is enabled thatcombines all the possible authorizations using a logic AND function.

If the transmitted integrity information item DI or attestation DIAmeans that a worse security status for the service-provided domain isassumed, then the authorizations are restricted. That is, only somesteps of the service are used, for example.

If, in the example described, an attestation DIA may issue confirmingcomplete integrity of the internal and external sensors but notclassifying the integrity status of the server for ascertaining thetemperature forecast data as trustworthy. Then the second network D2(e.g., a control system of the automation installation) can accept dataprovided by the service only in part. The installation can then becontrolled using the temperature data from the sensors, whereas thetemperature forecast data are ascertained by resorting to a service fromanother service provider.

In addition, a system according to another exemplary embodiment providessecure service provision when cross domain services are used. Crossdomain information exchange is the basis for many industrial smartscenarios (e.g., smart grid, smart city or smart factory). Specificoperating data is provided from one domain for another domain, and thedomains involved are under different administrative control. Theinterchanged data are used for monitoring and control by a controlsystem of one of the domains, for example.

In such a setting, particularly the reciprocal verification of anadequate integrity status is advantageous.

In a second exemplary embodiment, the first network D1 is equipped witha first management unit IM1 or first inventory management system. Thesecond network D2 is equipped with a second management unit IM2 or asecond inventory management system. The method described above or anembodiment thereof is performed both from the point of view of thesecond network D2 with the first network D1 as service provider and fromthe point of view of the first network D1 with the second network D2 asservice provider.

It is thus possible for respective received control commands CD1, CD2 tobe accepted by respective control components C1, C2 of the respectivedomain based on a respective transmitted attestation DIA1, DIA2 aboutthe security status of the domain sending the control commands.

The first management unit IM1 particularly issues a firstservice-specific integrity information item DI1 and forwards the itemDI1 to an attestation unit Z. Attestation unit Z produces a signaturefor the first service-specific integrity information item DI1 and makesthe signed integrity information item available to a first networkaccess point DAP1 as a first attestation DIA1. The first network accesspoint DAP1 provides the second network D2 with the first attestationDIA1 and uses a first data communication interface CIF1 to transmit afirst control command CD1 to the second control component C2.

By way of example, a professionally operated domain can perform moreextensive actions in the network of the requesting domain than a lessprofessionally operated domain.

The performance of the service may be started in the first network D1 onthe basis of the provided integrity state of the network D2. Theservice-providing domain, e.g., the first network D1, can ensure thatthe data that are provided for the second network D2 as the result ofthe service are not provided for a domain whose integrity state isitself poor. This may be conceivable particularly when critical data aretransmitted, for example personal data or key material.

Within industrial installations, for safety-critical applications, theinformation from the attestation DIA about the loss of integrity on asubsystem can result in redundancy systems or alternative serviceproviders being used. When a drop in integrity is identified, the firstmanagement unit IM1 of the service-requesting domain may send an alarmsignal A to a component K1 of the first network D1.

If the service is provided by a single device, e.g., the first networkis formed by the single device, then the attestation about the integritystate of the device is advantageously appended directly when the deviceis authenticated. One example of single device service is for the caseof remote administration. The attestation can then also be requestedfrom the remote domain, in the case of access via a local domain servicepoint.

In addition, if a service provider, e.g. a remote service in the firstnetwork, connects to a device in the second network, then the device inthe second network can ensure that the administrative access by theremote service is effected only if the integrity status of the serviceprovider is good. If the remote service engineer connects a computer onwhich there is no up-to-date patch status, then the device in the secondnetwork can reject the remote service request, since the integritystatus is inadequate and hence there are potential risks in theexecution of the service from the point of view of the second network.

In addition, a service provider can verify compliance with a quality ofservice agreement or a service level agreement to a customer.

The respective components and the management unit may be implemented inhardware and/or software. When implemented in hardware, the respectiveunit may be in the form of an apparatus or in the form of part of anapparatus (e.g., in the form of a computer or in the form of amicroprocessor). When implemented in software, the respective componentand management unit may be in the form of a computer program product, inthe form of a function, in the form of a routine, in the form of part ofa program code, or in the form of an executable object.

It is to be understood that the elements and features recited in theappended claims may be combined in different ways to produce new claimsthat likewise fall within the scope of the present invention. Thus,whereas the dependent claims appended below depend from only a singleindependent or dependent claim, it is to be understood that thesedependent claims may, alternatively, be made to depend in thealternative from any preceding or following claim, whether independentor dependent, and that such new combinations are to be understood asforming a part of the present specification.

While the present invention has been described above by reference tovarious embodiments, it may be understood that many changes andmodifications may be made to the described embodiments. It is thereforeintended that the foregoing description be regarded as illustrativerather than limiting, and that it be understood that all equivalentsand/or combinations of embodiments are intended to be included in thisdescription.

1. A method for adapting access rules for a data interchange between afirst network and a second network by the second network based on aservice-specific integrity information item of the first network,wherein the first network processes data for carrying out a service andthe service defines one or more components, the method comprising:transmitting a respective integrity status of each of the one or morecomponents by each respective component of the one or more componentsvia a communication link within the first network to a management unit(IM) of the first network; computing the service-specific integrityinformation item based on each respective integrity status by themanagement unit; and transmitting the service-specific integrityinformation item by a network access point of the first network to areceiver in the second network for adapting the access rules, whereinaccess by the receiver to each respective integrity status is prevented.2. The method of claim 1, wherein the service-specific integrityinformation item provides a service identifier, a domain identifier, anintegrity checking code, and/or a time stamp.
 3. The method of claim 1,wherein the service-specific integrity information item provides a listor a link to a list of the one or more components.
 4. The method ofclaim 1, wherein the integrity information item is represented by avalue comprising a set of at least two values.
 5. The method of claim 1,wherein the second network is administrated by a second management unit,wherein the second network is different than the first network.
 6. Themethod of claim 1, wherein the number one or more components arecomputation units comprising at least one processor for carrying out theservice within the first network.
 7. The method of claim 1, wherein adata transmission between the one or more components and a subscriberoutside the first network is carried out via a network access point,wherein the network access point limits the data transmission.
 8. Themethod of claim 1, wherein the service-specific integrity informationitem is transmitted as part of an authentication certificate.
 9. Themethod of claim 1, wherein the service-specific integrity informationitem is tied to an authentication certificate via an attributecertificate.
 10. The method of claim 1, wherein the first networkproduces an attestation for the service-specific integrity informationitem based on cryptographic key material.
 11. The method as claimed inclaim 10, wherein the attestation is formed by a cryptographic checksumof the management unit (IM).
 12. The method of claim 10, wherein theattestation is evaluated by the receiver.
 13. The method of claim 10,wherein the attestation is produced on the basis of a feature of thesecond network.
 14. A system for providing a service-specific integrityinformation item of a first network, wherein the first network canprocess data for carrying out a service and the service can define oneor more components, the system comprising: the one or more componentsfor transmitting a respective integrity status of the one or morecomponents via a communication link in the first network to a managementunit (IM) in the first network; the management unit (IM) for computingthe service-specific integrity information item on the basis of therespective integrity status(es); a network access point of the firstnetwork for providing the service-specific integrity information itemfor a receiver for adapting an authorization, wherein access by thereceiver to the respective integrity status is prevented.
 15. The systemof claim 14, comprising an attestation unit for producing an attestationbased on the service-specific integrity information item viacryptographic key material.
 16. The system of claim 14 comprising acertification entity configured to: transmit a respective integritystatus for the one or more components by each respective component ofthe plurality of components via a communication link within the firstnetwork to a management unit of the first network; compute theservice-specific integrity information item based on each respectiveintegrity status by the management unit; and transmit theservice-specific integrity information item by a network access point ofthe first network to a receiver in the second network for adapting theaccess rules, wherein access by the receiver to each respectiveintegrity status is prevented.
 17. The method of claim 2, wherein theservice-specific integrity information item provides a list or a link toa list of the plurality of components.
 18. The method of claim 2,wherein the integrity information item is represented by a valuecomprising a set of at least two values.
 19. The method of claim 3,wherein the integrity information item is represented by a valuecomprising a set of at least two values.
 20. The method of claim 2,wherein the second network is administrated by a second management unitwherein the second network is different than the first network.